I denied access to VPN clients on the network 172.16.0.0 and permited them access to network 10.0.0.0.

You see? I have not used ANY because if You later add more than one LAN than is it more easy to handle the ACL, more easier to find out who have and who have not permission to access specified networks.